With storage technology constantly decreasing in price while corporate governance requirements and data retention legislation increase the world over, many companies have adopted a policy of storing every piece of information they have. Whether invoices, e-mails, or proposals, everything is filed away in a box or an electronic folder, "just in case".
To be blatantly honest, this is the worst solution a company can adopt. Good corporate governance means running your business correctly, and this means among other things, managing costs. Despite storage media being cheap, managing storage is not cheap. The cost of backups, server time, the additional time taken to find information as well as possible archival costs all add up.
Moreover, apart from the hassle and time wasted in sifting through all the irrelevant data to find relevant information, if you have a philosophy of storing everything, then chances are you will be storing a huge amount of duplicate and redundant information. This unnecessary waste will ultimately cost money. In some organisations it is estimated that 90% of all e-mails received are personal. Do companies really want to be managing and backing-up, searching through and archiving terabytes of personal e-mails?
With the advent of the Protection of Personal Information Bill/Act, compliance to retention requirements embodied in legislation will soon mean that some information will have to be destroyed after a set time. Companies will only be able to keep information about clients for as long as it is needed and for the purpose intended. Clearly this does not mean forever or just in case. Additionally, good corporate governance means managing risk. Very simply, the more information you keep, the greater chance there will be that there is something you won`t want appearing in court unexpectedly in future.
Should it stay or should it go?
To decide what needs to stay and what needs to go, companies should first identify the legislative universe that applies to their industry and understand the retention requirements embodied in those laws. Then they need to ensure they understand the evidential reasons to keep specific information, as well as the business reasons. Only once this research is complete, they should consider putting this knowledge into action.
Simply stated, if it is of no legal, evidential or business value to the organisation, why keep it?
A good rule of thumb says one-third of the information currently being managed is junk (duplicates or non-records). Another third needs to be kept, but should be on cheap real estate (either off-site in the case of physical records or on secondary media in the case of electronic records). Only 30% of the data stored has real current value for the business and should be stored so that is immediately available.
Record classification
To classify data effectively to support the business and not hinder it, one starts by defining the functions of the business. By understanding what functions the organisation performs, you can quickly see what information is required to support them.
The functional information is then broken down further into activities performed within those functions, then finally down to the transaction level. Records will be generated by transactions and they are the evidence of the activities of the organisation. Now you know what data the company needs and generates every day.
This will also tell you what data needs to be immediately available and what can be stored on secondary systems. Not only will this save money, but by only storing relevant information instead of junk, the data users require will be available faster.
Retain or delete?
Compliance to retention requirements embodied in legislation will soon mean that some information will have to be destroyed after a set time.
Paul Mullon is information governance executive at Metrofile.
As a part of the process of classifying the information and storing it in the appropriate location, retention rules should also be set. If these rules are defined properly and are supported by sound policies and procedures, records can be destroyed when appropriate. Of course, this assumes the company`s retention policy has been designed according to good governance requirements and legislation.
In developing the policy, input needs to be gathered from a multi-disciplinary team made up of people from records management, IT, legal, risk, compliance and senior representatives from the business. Together, they make the rules and the records manager(s) and IT implement them. Destruction is never at the discretion of the user.
It is also imperative to remember that this process applies, with few exceptions, to both electronic and physical records. A record is a record based on its content, not the medium it is stored on. Therefore, while a records management software system can automatically deal with digital records, a formal process will have to be defined to help staff find and delete the appropriate physical records.
The crux of the matter is a proper records management process defined by clear rules and procedures for the retention, storage and destruction of all types of records. Most importantly, the management process must take charge of the records as soon as they exist, allocate those that need to be stored to the appropriate locations and only allow them to leave the system when they need to be destroyed.
* Paul Mullon is information governance executive at Metrofile.
Share